CVE-2017-2522
published 2017-05-22CVE-2017-2522: An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.59%
93.0th percentile
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "CoreFoundation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted data.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 10.3.2 | 10.3.2 |
| apple | mac_os_x | < 10.12.5 | 10.12.5 |
| apple | macos_sierra_10.12.5_security_update_2017-002_el_capitan_and_security_update_201 | — | — |
| apple | tvos | < 10.2.1 | 10.2.1 |
| apple | tvos | — | — |
| apple | watchos | < 3.2.2 | 3.2.2 |
| apple | watchos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
24 76 65 72 73 69 6F 6E 58 24 6F 62 6A 65 63 74 73 59 24 61 72 63 68 69 76 65 72 54 24 74 6F 70
- →The vulnerability is triggered by deserializing a crafted NSCharacterSet object via NSKeyedUnarchiver. Monitor for processes receiving or unarchiving NSKeyedArchive payloads containing oversized NSCharacterSet bitmap data, which triggers memory corruption in NSCharacterSetCFCharacterSetCreateWithBitmapRepresentation. ↗
- →Look for NSKeyedArchiver-formatted binary files (containing magic bytes $versionX$objectsY$archiverT$top) being written to or read from AFC-accessible paths on iOS devices, which may indicate exploitation via lockdownd-exposed services over USB. ↗
- →Detect XPC services accepting NSKeyedArchive messages without a class whitelist (insecure mode), particularly those accepting broad base classes like NSObject, as these are exploitable for sandbox escape or privilege escalation via this CVE. ↗
- →Monitor iOS apps that serialize application state to NSKeyedArchives without secure coding enabled, as crafted archive files written to disk can serve as a memory-corruption-based persistence mechanism. ↗
- →Flag IPC messages or deserialized objects where __CFCSetGetAnnexPlaneCharacterSet is called with plane=0 after plane=1 in the same bitmap parsing loop, as this is the specific code path leading to the out-of-bounds write. ↗
- ·NSXPC attack surface for this CVE is limited to services that accept overly broad base classes (e.g., NSObject) or classes with vulnerable deserializers, because NSXPC enforces upfront type whitelisting in secure coding mode. ↗
- ·USB-based exploitation via lockdownd requires the attacking host to possess a valid pairing record for the target iOS device; unpaired hosts will trigger user-visible prompts. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2017-2522: macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite
vendor_apple·2017-05-15·CVSS 9.8
CVE-2017-2522 [CRITICAL] CVE-2017-2522: macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite
Product: macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite
CVE: CVE-2017-2522
Component: CoreFoundation
Impact: Parsing maliciously crafted data may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2017-2522: iOS 10.3.2
vendor_apple·2017-05-15·CVSS 9.8
CVE-2017-2522 [CRITICAL] CVE-2017-2522: iOS 10.3.2
Apple Security Update: About the security content of iOS 10.3.2
Product: iOS
Version: 10.3.2
CVE: CVE-2017-2522
Component: CoreFoundation
Impact: Parsing maliciously crafted data may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2017-2522: tvOS 10.2.1
vendor_apple·2017-05-15·CVSS 9.8
CVE-2017-2522 [CRITICAL] CVE-2017-2522: tvOS 10.2.1
Apple Security Update: About the security content of tvOS 10.2.1
Product: tvOS
Version: 10.2.1
CVE: CVE-2017-2522
Component: CoreFoundation
Impact: Parsing maliciously crafted data may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2017-2522: watchOS 3.2.2
vendor_apple·2017-05-15·CVSS 9.8
CVE-2017-2522 [CRITICAL] CVE-2017-2522: watchOS 3.2.2
Apple Security Update: About the security content of watchOS 3.2.2
Product: watchOS
Version: 3.2.2
CVE: CVE-2017-2522
Component: CoreFoundation
Impact: Parsing maliciously crafted data may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
GHSA
GHSA-qqhw-q3wx-gqxq: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-14
CVE-2017-2522 [CRITICAL] CWE-119 GHSA-qqhw-q3wx-gqxq: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "CoreFoundation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted data.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/98588https://support.apple.com/HT207797https://support.apple.com/HT207798https://support.apple.com/HT207800https://support.apple.com/HT207801https://www.exploit-db.com/exploits/42049/http://www.securityfocus.com/bid/98588https://support.apple.com/HT207797https://support.apple.com/HT207798https://support.apple.com/HT207800https://support.apple.com/HT207801https://www.exploit-db.com/exploits/42049/
2017-05-22
Published